Essential Eight
ACSC maturity assessment, evidence, and remediation tracking
The Essential Eight is the Australian Cyber Security Centre (ACSC) prioritised set of mitigation strategies for protecting internet-connected information technology networks. Run Essential Eight maturity assessments across all eight strategies and Maturity Levels 1, 2, and 3, map vulnerability findings to each strategy, and produce assessor-ready evidence packs from one platform.
No credit card required. Free plan available forever.
Essential Eight: prioritised mitigation, not a checklist
The Essential Eight is the Australian Cyber Security Centre (ACSC) prioritised set of mitigation strategies for protecting internet-connected information technology networks. It distils a much broader catalogue (the Strategies to Mitigate Cyber Security Incidents) into eight strategies that, taken together, materially raise the cost of opportunistic and targeted intrusions. The accompanying Essential Eight Maturity Model defines four maturity levels (ML0, ML1, ML2, ML3) per strategy, so an entity can describe its posture by strategy rather than as a single global score.
Federal non-corporate Commonwealth entities are required to implement the Essential Eight to Maturity Level 2 under the Protective Security Policy Framework (PSPF). Adoption is also widespread across Australian state and local government, regulated industries, and the private sector, in part because the strategies map cleanly to threats most entities actually face. The Information Security Registered Assessors Program (IRAP) provides independent assessment for entities that need formal attestation.
The Essential Eight composes well with broader frameworks. The ISO 27001 management system governs how the technical baseline is selected and operated; the CIS Critical Security Controls cover a wider technical surface area; the NIST Cybersecurity Framework provides the outcome model. APRA-regulated entities frequently treat Essential Eight as a reference baseline for the technical controls obligation under APRA CPS 234 paragraphs 20 to 22. Many Australian entities run Essential Eight as the technical baseline alongside one or more of these frameworks rather than as an isolated programme.
The four maturity levels
The Maturity Model is the unusual part of the Essential Eight. Each strategy has its own Maturity Level expectations, and an entity can sit at different levels across the eight strategies without that being a contradiction. The level chosen reflects the threat profile the entity is defending against, not an aspirational target.
Maturity Level 0: not implemented
Strategies are missing, partially deployed, or operationally undermined to a degree that does not meet ML1. The ACSC is explicit that ML0 is a real state, not a starting placeholder. Many entities sit at ML0 against one or two strategies even when the rest of the programme is mature, so assessment honesty matters more than headline maturity.
Maturity Level 1: opportunistic threats
Aimed at adversaries who use commodity tradecraft and publicly available exploits. ML1 covers application control on user profiles and temporary folders, two-week patching for internet-facing services, blocking macros from the internet, MFA for internet-facing services, and backups with a tested restoration capability. ML1 is the floor, not the goal.
Maturity Level 2: targeted intrusions
Aimed at adversaries willing to invest more time and resources, including credential phishing, privilege abuse, and targeted exploitation. ML2 broadens application control across workstations and servers, shortens patching windows for known-exploited vulnerabilities to 48 hours, requires just-in-time administration, and extends MFA across remote and privileged users of important data repositories.
Maturity Level 3: advanced adversaries
Aimed at adversaries who develop or acquire bespoke tradecraft and target high-value information. ML3 adds Microsoft recommended block rules, PowerShell hardening, phishing-resistant MFA on important data repositories, privileged access management, and backups protected from privileged account modification. The jump from ML2 to ML3 is operational maturity, not just additional controls.
The eight strategies in working detail
The eight strategies cover prevention (1, 3, 4, 5), patching (2, 6), authentication (7), and recovery (8). The summary below is an operator's read on what each strategy means in practice and where the evidence sits, not a substitute for the official ACSC publications.
Application control
Application control is structurally similar to allow-listing executables, scripts, installers, and software libraries on workstations and servers. Maturity Level 1 covers user profiles and temporary folders; ML2 covers all workstation and server locations; ML3 layers Microsoft recommended block rules and verified driver block rules. Authenticated scan output is the highest-signal evidence for ruleset coverage and bypass detection.
Patch applications
Patch internet-facing services within two weeks at ML1 and within 48 hours when an exploit exists at ML2. ML3 extends the 48-hour window to office productivity software, web browsers, email clients, PDF software, and security products. Tie patch evidence per CVE to the affected application, the asset, and the patch deployment record so the time-to-patch is provable rather than asserted.
Configure Microsoft Office macro settings
Block macros from the internet at ML1, allow only vetted macros with a documented business need at ML2, and additionally block Win32 API calls from macros and require antivirus inspection of macros at ML3. The exception register is as important as the policy: an unevidenced macro permission is the most common ML2 finding.
User application hardening
Block Flash, web ads, and Java in browsers at ML1, disable Internet Explorer 11 at ML2, and harden PowerShell with module logging, script block logging, and constrained language mode at ML3. Add Microsoft Office and PDF software hardening across the same maturity ladder. Authenticated scan output evidences the deployed configuration per device.
Restrict administrative privileges
Validate privileged access requests, separate privileged operating environments from unprivileged ones, and audit privileged events at ML1. ML2 introduces just-in-time administration and bans privileged accounts from internet, email, and web service access. ML3 adds privileged access management and credential reset on use. The privilege register and the audit log of privileged events are the working evidence.
Patch operating systems
Two-week patching for internet-facing operating systems at ML1, 48-hour patching when an exploit exists at ML2, and the same cadence applied across all workstations, servers, and network devices at ML3. Replace operating systems no longer supported by vendors. Authenticated and external scan output drives the missing-patch and end-of-life OS evidence directly.
Multi-factor authentication
MFA on internet-facing services at ML1, MFA on all remote users and privileged users of important data repositories at ML2, and phishing-resistant MFA on all users of important data repositories at ML3. Document the MFA factor type, the bypass register, and a test method per service so the maturity claim is verifiable rather than declared.
Regular backups
Back up important data, software, and configuration settings, retain backups for a defined period, and test restoration at ML1. ML2 adds quarterly restoration tests aligned to business continuity objectives. ML3 protects backups from modification or deletion by privileged accounts during the retention window and exercises restoration as part of disaster recovery. Backup configuration, retention, and restoration test evidence are the working artefacts.
The patching strategies (2 and 6) are where most assessments find the largest gap between intent and evidence. The two-week and 48-hour patch windows in the Maturity Model are precise, and evidencing them requires a defensible record of when each CVE became applicable to the entity, when the patch was deployed, and when it was verified. For background on the underlying mechanics, see the vulnerability prioritisation framework guide and the remediation tracking workflow.
Scoping an Essential Eight assessment
The single largest source of inconsistent Essential Eight assessments is unclear scope. The Maturity Model is precise about what is expected; the assessment is only as good as the asset boundary it is run against. The principles below come up consistently in practice and in the ACSC guidance.
- Pick the Maturity Level per strategy based on the threat profile of the entity and the data sensitivity in scope, not on aspirational targets
- Document why each strategy is at the chosen Maturity Level and where exceptions or compensating controls apply, with rationale and owner
- Map workstations, servers, internet-facing services, important data repositories, and supporting infrastructure before claiming any strategy as Implemented
- Treat each strategy at each Maturity Level as binary at the point of evidence (Implemented, Partially Implemented, Not Implemented) rather than as a sliding score
- Refresh the assessment whenever the asset boundary, data classification, or operating environment changes materially, not only on the annual review
- Keep one source of record for strategy status, evidence artefacts, exception register, and remediation actions so the same data answers the assessor and the executive
Remediation and retest workflow
An Essential Eight assessment is only useful if the gaps it surfaces become tracked work. A remediation register tied to the strategy reference, Maturity Level, and the underlying finding is the difference between an assessment that improves posture and one that produces a static report. Each item below is a record on the engagement, not a row in a side spreadsheet.
- Open a remediation item the moment a strategy is found Not Implemented or Partially Implemented during scanning, audit, or attestation
- Capture the strategy reference, Maturity Level, asset scope, severity, owner, and the evidence pointer per item
- Record the planned remediation steps, milestones, target completion date, and any compensating controls applied during the gap
- Track schedule slippage explicitly with original date, current date, reason for change, and approving authority
- Close the item only after retest or recheck evidence is captured and tied back to the original finding
- Roll status into the strategy register so the maturity picture stays current rather than drifting between reviews
How the Essential Eight compares to ISO 27001, CIS, NIST CSF, and the ISM
The Essential Eight is rarely the only framework an entity follows. The contrast below is a practitioner view: which framework to pair the Essential Eight with, not which to pick instead of it.
Essential Eight vs ISO 27001
Essential Eight is a prioritised set of eight technical mitigation strategies. ISO/IEC 27001 is an information security management system standard with 93 Annex A controls covering technical, organisational, physical, and people domains. They compose well: implement the Essential Eight as the technical baseline, and use ISO 27001 as the broader management system that governs how the technical baseline is selected, operated, and improved.
Essential Eight vs CIS Controls
Both are prioritised technical control sets. The CIS Critical Security Controls publish 18 controls and 153 safeguards across Implementation Groups IG1, IG2, and IG3. Essential Eight publishes eight strategies and four maturity levels (ML0 to ML3). The Essential Eight is denser per control and has a strong Australian government regulatory footing; CIS Controls cover a wider surface area. Many entities adopt both with a mapping spreadsheet.
Essential Eight vs NIST CSF
NIST CSF is an outcome-based framework organised around five functions (Identify, Protect, Detect, Respond, Recover) with implementation tiers from Partial to Adaptive. Essential Eight is prescriptive and technical: the eight strategies are specific actions an entity is expected to take. CSF describes what good cybersecurity looks like at a programme level; Essential Eight describes what to do this quarter.
Essential Eight vs ISM and PSPF
The Australian Government Information Security Manual (ISM) is a much broader catalogue of controls that the Essential Eight is a prioritised subset of, and the Protective Security Policy Framework (PSPF) is the policy framework that mandates protective security across non-corporate Commonwealth entities. Most Australian Government entities are required to apply Essential Eight at a minimum, with the ISM and PSPF providing the wider obligations.
ACSC publications and IRAP context
The Essential Eight is published and maintained by the ACSC and updated as threat tradecraft evolves. The points below summarise the regulatory and assessment context that shapes how most assessments are run.
- The Essential Eight strategies are published by the Australian Cyber Security Centre (ACSC), part of the Australian Signals Directorate (ASD), as a prioritised subset of the broader Strategies to Mitigate Cyber Security Incidents.
- The Essential Eight Maturity Model defines four maturity levels (ML0, ML1, ML2, ML3) per strategy, with detailed expectations published by the ACSC and refreshed periodically as threat tradecraft evolves.
- Federal non-corporate Commonwealth entities are required to implement the Essential Eight to ML2 under the Protective Security Policy Framework (PSPF), with state, local, and private-sector adoption widespread.
- The Information Security Registered Assessors Program (IRAP) provides independent assessment of Essential Eight maturity for entities that need formal attestation, particularly across Australian Government and critical infrastructure sectors.
Where SecPortal fits in an Essential Eight programme
SecPortal is the operating layer for an Essential Eight assessment. The platform handles scope, target Maturity Level per strategy, scanner evidence, exception register, and the remediation tracker so the assessment runs as a single workflow rather than a recurring spreadsheet rebuild. For Australian consultancies running Essential Eight assessments on behalf of clients, the security consultants workspace bundles that with branded client portals and AI-assisted reporting.
- Engagement management captures the Essential Eight assessment scope, target Maturity Level per strategy, and assessor identity as a structured record so the assessment runs as a single workflow rather than a folder of spreadsheets
- Compliance tracking pre-populates strategy status (Implemented, Partially Implemented, Not Implemented) per Maturity Level per strategy, with evidence pointers and owner attached to each entry
- Authenticated scanning produces direct evidence for application control rulesets, browser configuration, PowerShell hardening, missing patches, end-of-life software, MFA configuration on remote services, and account separation
- External scanning evidences internet-facing patch posture, exposed services, and the patch latency for the services in scope of strategies 2 and 6
- Findings management records each gap as a tracked item with the Essential Eight reference, the affected asset, severity, owner, target date, and the retest evidence that closes it
- AI report generation composes the Essential Eight assessment report from the engagement, the strategy register, the scanner evidence, and the remediation tracker rather than from a blank page
- Continuous monitoring schedules recurring authenticated and external scans so patch latency, end-of-life detections, and configuration drift are caught between formal assessments rather than at the annual review
Looking for the engagement workflow itself? The compliance audits use case captures how SecPortal turns a framework assessment into a structured record covering scope, control or strategy status, evidence, and remediation. The vulnerability assessment use case covers the patching and configuration evidence side of the Essential Eight, particularly for strategies 2 and 6.
Pairing the Essential Eight with a specific operational programme? The penetration testing methodology guide and the security workflow orchestration research cover the broader operating model that an Essential Eight assessment fits into.
Key control areas
SecPortal helps you track and manage compliance across these domains.
Application control
Restrict the execution of unapproved or malicious code on workstations, internet-facing servers, and supporting infrastructure. Maturity Level 1 expects application control on user profiles and temporary folders; ML2 extends to all workstation and server locations; ML3 adds Microsoft recommended block rules and a verified ruleset against Microsoft recommended driver block rules. Track exemptions, ruleset reviews, and bypass evidence per asset.
Patch applications
Patch internet-facing services within two weeks (ML1), 48 hours when an exploit exists (ML2), and within 48 hours of a vendor release for office productivity, web browsers, email clients, PDF software, and security products at ML3. Use authenticated and external scan output to evidence applied patches, missing patches, and the time-to-patch per CVE for the in-scope applications.
Configure Microsoft Office macro settings
Block macros from the internet at ML1, only allow vetted macros for users with a demonstrated business need at ML2, and additionally block Win32 API calls from macros and use antivirus inspection of macros at ML3. Capture the policy, the exception register, the antivirus configuration, and the user-by-user justification where macros are permitted.
User application hardening
Configure web browsers to block Flash, web ads, and Java content (ML1), disable Internet Explorer 11 (ML2), and harden PowerShell with module logging, script block logging, and constrained language mode at ML3. Authenticated scan output provides direct evidence for browser settings, deprecated software, and Microsoft Office and PDF software hardening per device.
Restrict administrative privileges
Validate privileged access requests, separate privileged operating environments from unprivileged ones, and review privileged access events. ML2 introduces just-in-time administration and the ban on privileged accounts having internet, email, and web service access. ML3 adds a privileged access management solution and continuous credential reset on use.
Patch operating systems
Patch internet-facing operating systems within two weeks (ML1), within 48 hours when an exploit exists (ML2), and across all workstations, servers, and network devices on the same cadence at ML3. Replace operating systems no longer supported by vendors. Tie missing OS patch findings, end-of-life OS detections, and exception records to the asset register and the remediation timeline.
Multi-factor authentication
Apply MFA to internet-facing services at ML1, all remote users and privileged users of important data repositories at ML2, and to all users of important data repositories with phishing-resistant MFA at ML3. Capture the MFA factor type, enrolment evidence, bypass register, and the test method per service so the maturity claim is verifiable rather than asserted.
Regular backups
Back up important data, software, and configuration settings, retain backups for a defined period, and test restoration. ML2 requires retention aligned to business continuity objectives and quarterly restoration tests; ML3 adds restoration tests as part of disaster recovery exercises and prevents privileged accounts from modifying or deleting backups during the retention window. Evidence backup configuration, retention, restoration test results, and access controls per backup system.
Related features
Compliance tracking without a full GRC platform
Vulnerability management software that tracks every finding
AI-powered reports in seconds, not days
Orchestrate every security engagement from start to finish
Monitor continuously catch regressions early
Test web apps behind the login
Vulnerability scanning tools that map your attack surface
Run Essential Eight assessments without spreadsheet sprawl
Track all eight strategies and Maturity Levels 1, 2, and 3 in one workflow with scanner evidence, remediation tracking, and assessor-ready evidence packs. Start free.
No credit card required. Free plan available forever.